| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 May 2014 03:13:52 -0700
From: Hannes Frederic Sowa <hannes@...essinduktion.org>
To: Duan Jiong <duanj.fnst@...fujitsu.com>,
David Miller <davem@...emloft.net>
Cc: netdev <netdev@...r.kernel.org>
Subject: Re: [PATCH] ipv6: update Destination Cache entries when gateway turn
into host
On Sun, May 11, 2014, at 20:07, Duan Jiong wrote:
> 于 2014年05月12日 08:54, Hannes Frederic Sowa 写道:
> > On Thu, May 8, 2014, at 20:24, Duan Jiong wrote:
> >>
> >> RFC 4861 states in 7.2.5:
> >>
> >> The IsRouter flag in the cache entry MUST be set based on the
> >> Router flag in the received advertisement. In those cases
> >> where the IsRouter flag changes from TRUE to FALSE as a result
> >> of this update, the node MUST remove that router from the
> >> Default Router List and update the Destination Cache entries
> >> for all destinations using that neighbor as a router as
> >> specified in Section 7.3.3. This is needed to detect when a
> >> node that is used as a router stops forwarding packets due to
> >> being configured as a host.
> >>
> >> Currently, when dealing with NA Message which IsRouter flag changes from
> >> TRUE to FALSE, the kernel only removes router from the Default Router List,
> >> and don't update the Destination Cache entries.
> >>
> >> Now in order to update those Destination Cache entries, i introduce
> >> function rt6_clean_tohost().
> >>
> >> [...]
> >>
> >> +/*remove routers and update dst entries when gateway turn into host.*/
> >> +static int fib6_clean_tohost(struct rt6_info *rt, void *arg)
> >> +{
> >> + struct in6_addr *gateway = (struct in6_addr *)arg;
> >> +
> >> + if (((rt->rt6i_flags & (RTF_ADDRCONF | RTF_DEFAULT | RTF_GATEWAY))
> >> + == (RTF_ADDRCONF | RTF_DEFAULT | RTF_GATEWAY))
> >> + && ipv6_addr_equal(gateway, &rt->rt6i_gateway)) {
> >> + return -1;
> >> + } else if (((rt->rt6i_flags & (RTF_GATEWAY | RTF_CACHE))
> >> + == (RTF_GATEWAY | RTF_CACHE))
> >> + && ipv6_addr_equal(gateway, &rt->rt6i_gateway)) {
> >> + rt->rt6i_flags |= RTF_REJECT;
> >> + rt->dst.error = -ENETUNREACH;
> >> + }
> >> + return 0;
> >> +}
> >
> > I am not so happy with that but have not tried that.
> >
> > The Destination Cache you quote from the RFC (if you follow 7.3.3.) actually refers to the neighbouring
> > subsystem, where we would need to generate subsequent errors in case we try to forward a packet
> > through a this particular router.
> >
> > The reason why I am not that happy is, that the semantics when neighbour nodes are cleared is well
> > defined but we don't have that semantics when those rt6_nodes get cleared up. E.g. consider a router which just temporarily switches forwarding off and on.
> >
> > I guess we need to inspect NTF_ROUTER flag in the output path somehow. :/
>
> Why we need to inspect NTF_ROUTER flag?
> In my opinion, the problem is that we can't use the neighbour node as next hop.
I agree. I don't see a problem with returning -1 from the function but with the case
where you originate errors from the routing table by setting rt->dst.error. These
entries have a lifetime governed by the gc.
Greetings,
Hannes
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists